Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 May 2000 19:25:36 -0700 (PDT)
From:      Scott Hess <scott@avantgo.com>
To:        Lehquin@aol.com
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: firewall, how much horsepower?
Message-ID:  <Pine.LNX.4.21.0005231919200.16972-100000@river.avantgo.com>
In-Reply-To: <9f.5b1fdb1.265b3b7a@aol.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 May 2000 Lehquin@aol.com wrote:
> I'm thinking about a network connection to the internet, either ISDN 
> or DSL router. If I want to setup a firewall using FreeBSD, how much
> horsepower does the box need? I'm thinking that it won't need much 
> power to just pass IP packets back and forth. It will need just need 
> 2 ethernet cards right? Would a 486 66 w/ pentium upgrade chip and 
> 64Meg Ram be enough?

Long long ago, I used a 66Mhz 486 w/32M of RAM as a firewall/NAT box, 
under RedHat4.2.  It was way overpowered for that job.  The primary reason
I upgraded it was that: a) the 486 was very loud and big, and b) if I ever
wanted to rebuild a kernel or something to try out a wacky new feature
related to what the box did, it took literally forever.

> Regardless of the horsepower, what about other services. Can I run 
> sendmail, and DNS on the same box that's the firewall. How do I 
> makesure that the "Server Services" are protected behind the firewall 
> eventhough they are on the same box. Would this mean that the 
> server services would answer TCP/IP packets only on the ethernet 
> interface that is on my side of the firewall.

You can do all of this, the question is whether you should.  If you aren't
running any services on the firewall box, then those services cannot be
used to break into the firewall box.  If you run sendmail, someone can
still crack the box sendmail is running on, but you can still have a
working firewall (instead of turning off the firewalling, the cracker can
poke a port back out - but at least other people can't just waltz in at
that point).

My feeling for home networks is that it doesn't really make much
difference.  After all, once they've broken into one of your machines,
they _most_ likely can break the others at their leasure, anyhow.

That said, you can certainly arrange so that services only listen on
internal ports, and you can arrange that the firewalling rules do not
forward packets from the outside world to your selected services.  Either
option is probably sufficient, but I'd try hard to do both, if I could.

Later,
scott




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0005231919200.16972-100000>